.\" (C) Copyright 2014 Arturo Borrero Gonzalez , .\" .\" .TH NEOPI 1 "Oct 11, 2016" .\" Please adjust this date whenever revising the manpage. .\" .\"Usage: neopi [options] .\" .\"Options: .\" --version show program's version number and exit .\" -h, --help show this help message and exit .\" -c FILECSV, --csv=FILECSV .\" generate CSV outfile .\" -a, --all Run all (useful) tests [Entropy, Longest Word, IC, .\" Signature] .\" -z, --zlib Run compression Test .\" -e, --entropy Run entropy Test .\" -E, --eval Run signiture test for the eval .\" -l, --longestword Run longest word test .\" -i, --ic Run IC test .\" -s, --signature Run signature test .\" -S, --supersignature Run SUPER-signature test .\" -A, --auto Run auto file extension tests .\" -u, --unicode Skip over unicode-y/UTF'y files .SH NAME neopi \- web shell code detection .SH SYNOPSIS .B neopi [options] [regex] .br .SH DESCRIPTION This manual page documents briefly the .B neopi command. .PP \fBneopi\fP is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches. NeoPI recursively scans through the file system from a base directory and will rank files based on the results of a number of tests. It also presents a “general” score derived from file rankings within the individual tests. .SH OPTIONST The program follows the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below. .TP .B \-v, \-\-version Show version of program. .TP .B \-h, \-\-help Show summary of options. .TP .B \-C FILECSV, \-\-csv=FILECSV Generates a CSV output to \fIFILECSV\fP containing the results of the scan. .TP .B \-a, \-\-all Run all tests including entropy, longest word, and index of coincidence. This is the recommended way of running \fBneopi\fP. .TP .B \-e, \-\-entropy Run only the entropy test. .TP .B \-l, \-\-longestword Run only the longestword test. .TP .B \-c, \-\-ic Run only the Index Coincidence test. .TP .B \-A, \-\-auto This flag runs an auto generated regular expression that contains many common web application file extensions. This list is by no means comprehensive but does include a good ‘best effort’ scan if you are unsure of what web application languages your server is running. Current list of included extensions: php, asp, aspx, sh, bash, zsh, csh, tsch, pl, py, txt, cgi, cfm .SH EXAMPLES neopi \-C scan1.csv \-a \-A /var/www/ neopi \-a /tmp/phpbb "php|txt" neopi \-a \-A /var/www/html/ .SH ABOUT \fBneopi\fP authors are Ben Hagen and Scott Behrens . This man page was written by Arturo Borrero Gonzalez for the Debian GNU/Linux distribution (but it may be used by others).